Many modern organizations have a security operations center (SOC) to deal with security issues on an organizational and technical level. An SOC may be a centralized unit where security applications and/or network administrators supervise, among other things, the organization's network and network devices to monitor for, investigate, and defend from potential security threats. For example, the SOC may be tasked with monitoring network devices using security applications that alert SOC network administrators each time that a network device is suspected of having been compromised from a security standpoint. For example, a network device may be compromised due to a user within the organization's network, such as an employee, a contractor, or a business associate, having gone rogue. Such a user is commonly referred to as an “insider” and this situation is commonly referred to as an “insider threat.”
An insider threat can leave an organization's network particularly vulnerable because the user may have extensive access to the network. This extensive access may enable the user to pose a greater threat to the organization's network that a typical “outsider” without such access. The threats posed by insider threat may include fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems. However, since the user involved in an insider threat has been given extensive access to the organization's network, it can be difficult for SOC network administrators of the organization to manually detect a potential insider threat in time to defend the organization's network, which leaves the network and associated network devices vulnerable.
The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one example technology area where some embodiments described herein may be practiced.